[Top] [All Lists]

Re: Do the must 'bounce' rules need to be relaxed for virus infec ted messages?

2004-03-25 12:35:17

----- Original Message ----- 
From: "Daryl Odnert" <daryl(_dot_)odnert(_at_)tumbleweed(_dot_)com>
To: <ietf-smtp(_at_)imc(_dot_)org>
Sent: Thursday, March 25, 2004 1:52 PM
Subject: RE: Do the must 'bounce' rules need to be relaxed for virus infec
ted messages?

Taking into account all the replies that I've seen so far, I would modify
proposed amendment to RFC 2821 as follows:

An SMTP server MAY decline to send the "undeliverable mail" notification
message when it can be reliably determined that the original message had
malicious or deceitful intent.  Determination of such intent is beyond the
scope of this specification.  However, SMTP servers MUST NOT decline to
a notification when the only evidence of deceit is an apparently spoofed
originator address.

Sorry to disagree.   Either the MAIL FROM is correct (verifiable) or its
not. How thats done is another issue.  (We choose to use a CBV.) You can't
have it both ways and expect logic to prevail.  It is either valid or its

Please, lets keep in mind that this talk only applies to post smtp
validation systems. In this era, if you (speaking in general) choose to
continue to operate in this mode, then thats your poor choice.  In fact, I
wouldn't be surprise if in the near future, such continued operations will
be considered malpractice by those who are hurt by your post SMTP validation

See RFC 2821 Section 3.3 Mail Transactions

3.3 Mail Transactions

   ............................... Despite the apparent
   scope of this requirement, there are circumstances in which the
   acceptability of the reverse-path may not be determined until one or
   more forward-paths (in RCPT commands) can be examined.  In those
   cases, the server MAY reasonably accept the reverse-path (with a 250
   reply) and then report problems after the forward-paths are received
   and examined.  Normally, failures produce 550 or 553 replies.

Follow this and your bounce issues will be minimized to those originating
from your own system.  Not from the outside.